Title

The HYCU virtual appliance must implement replay-resistant authentication mechanisms for network access to privileged accounts. (Cat II impact)

Discussion

A replay attack may enable an unauthorized user to gain access to the application. Authentication sessions between the authenticator and the application validating the user credentials must not be vulnerable to a replay attack. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address this include protocols using nonces (e.g., numbers generated for a specific one-time use) or challenges (e.g., TLS, WS_Security). Additional techniques include time-synchronous or challenge-response one-time authenticators.

Check Content

The use of SSH-2 protocol for network/remote access prevents replay attacks. The SSH-2 protocol is the standard for the SSH daemon in the Linux OS used by HYCU. To determine the SSH version in use, log in to the HYCU console and execute the following command: ssh -v localhost If the output does not show remote protocol version 2.0 in use, this is a finding. HYCU web access uses TLS, which addresses this threat. HYCU web access cannot be configured to not use TLS.

Fix Text

Log in to the HYCU console and configure SSH to use the SSH-2 protocol by editing the protocol variable in the file "/etc/ssh/sshd_config".

Additional Identifiers

Rule ID: SV-268260r1038716_rule

Vulnerability ID: V-268260

Group Title: SRG-APP-000156-NDM-000250

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.